WLC ACL blocks internet only on Nook tablet

Kentws7766 · ‎06-27-2013

Win7 laptops work fine. Nook gets IP but No internet. ACL is on the Controller and even if I remove all rules and permit any/any, still no internet on Nook. If I take ACL off, Nook gets internet. I have googled this & can’t find anything. Anyone ever come across this? 4404 running 1142 APs.

George Stefanick · ‎06-27-2013

I haven't had issues with the nook. I have had issues with iPads and Netflix which was a DNS issue on the app. I would be interested in seeing a sniff of the nook traffic. Looking into what this devices is trying to talk to may help. Based on your comments makes little sense and could be a bug.

Sniff the nook traffic either on the wireless or wired and let's see where it's going

Sent from Cisco Technical Support iPad App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Kentws7766 · ‎06-27-2013

I don’t have any sniffers, unless you know of a free one I can download. Or, do you suggest I capture any WLC logs and if so, which ones.

George Stefanick · ‎06-27-2013

You can use wireshark. Span the wlc port where the wlc connects to the wired switch.

Sent from Cisco Technical Support iPad App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Kentws7766 · ‎07-30-2013

Ok, we set this up in the test lab. When we connected without an acl, it does try to head out to Barnes & Noble, but when we apply an ACL (Permited any/any), then it doesn't even try to get out, yet it still has an IP and we can still ping it from the controller, although a link test from the Controller fails.

Kentws7766 · ‎07-30-2013

The nooks IP is 10.33.64.11 & Barnes & Noble is 65.204.48.9

Without ACL:

609 41.490916000 65.204.48.9 10.33.64.111 TCP 60 https > 57580 [RST, ACK] Seq=1 Ack=1 Win=5204 Len=0

610 41.490988000 65.204.48.9 10.33.64.111 TCP 128 https > 57580 [RST, ACK] Seq=1 Ack=1 Win=5204 Len=0

582 35.100123000 65.204.48.9 10.33.64.111 TCP 60 https > 53596 [RST, ACK] Seq=1 Ack=1 Win=5613 Len=0

583 35.100201000 65.204.48.9 10.33.64.111 TCP 128 https > 53596 [RST, ACK] Seq=1 Ack=1 Win=5613 Len=0

With ACL

109 18.001621000 Cisco_18:1c:03 PVST+ STP 64 Conf. Root = 4096/1/00:0a:b7:18:1c:00 Cost = 0 Port = 0x8003

110 18.426866000 Barnes&N_0d:eb:d3 Cisco_e8:63:f0 802.11 146 Probe Request, SN=339, FN=0, Flags=...P...., SSID=WDC-Guest-TestLab

111 18.432880000 Barnes&N_0d:eb:d3 Cisco_e8:63:f0 802.11 146 Probe Request, SN=340, FN=0, Flags=...P...., SSID=WDC-Guest-TestLab

112 19.515568000 Cisco_58:6b:40 Broadcast ARP 60 Who has 192.168.107.1? Tell 192.168.107.100

Kentws7766 · ‎07-30-2013

We also tried it with a branbd new Nook HD, same issue.

Kentws7766 · ‎07-30-2013

whoops, the Nooks IP is: 10.33.64.111

Kentws7766 · ‎07-31-2013

Ok, figured it out, it ended up being a DNS issue. When the DHCP Scopes were created, didn't realize that there were 5 DNS Servers (option-6) that any new DHCP Scope defaulted to. Our Access List was configured with only the two Primary & Secondary DNS servers for allowed access. Thus, these Nooks were hitting the other DNS server(s) first and the ACL was blocking the other three servers. For some rerson, most devices wer able to reach out to another DNS Server & connect to the internet, but the Nooks stopped after it tried connecting to the first DNS Server. So, we removed the 5 DNS Servers from the DHCP Scope down to the two (Primary DNS Server & Secondary DNS Server) and all was fine.

We also found out that the Cisco Aironet IE extension option on our autonomous APs had to be disabled for iPads to connect to the wireless on our 1220 autonomous APs.